{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data-loss/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["medium"],"_cs_tags":["github","audit","data-loss","impact"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eThis detection strategy focuses on identifying potentially malicious or unauthorized deletion activities within a GitHub organization. The detections hinge on monitoring GitHub audit logs for specific actions related to the deletion of critical resources. This includes actions such as deleting codespaces (\u003ccode\u003ecodespaces.destroy\u003c/code\u003e), deleting environments (\u003ccode\u003eenvironment.delete\u003c/code\u003e), deleting projects (\u003ccode\u003eproject.delete\u003c/code\u003e), and destroying repositories (\u003ccode\u003erepo.destroy\u003c/code\u003e). This activity is important for defenders because these actions can lead to data loss, service disruption, or compromise of the software development lifecycle. The detections are triggered by events recorded within the GitHub audit log, requiring audit log streaming to be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to a GitHub account with sufficient privileges. This could be achieved through compromised credentials or insider access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates privileges within the GitHub organization to gain the necessary permissions to delete resources if they don\u0026rsquo;t already have them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies valuable codespaces, environments, projects, or repositories within the GitHub organization that they intend to delete.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Codespaces:\u003c/strong\u003e The attacker executes the \u003ccode\u003ecodespaces.destroy\u003c/code\u003e action, deleting a specific codespace instance, potentially disrupting development workflows.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Environments:\u003c/strong\u003e The attacker executes the \u003ccode\u003eenvironment.delete\u003c/code\u003e action, removing a specific environment configuration, potentially affecting deployment processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Projects:\u003c/strong\u003e The attacker executes the \u003ccode\u003eproject.delete\u003c/code\u003e action, deleting a project board and its associated tasks, impacting project management.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Repositories:\u003c/strong\u003e The attacker executes the \u003ccode\u003erepo.destroy\u003c/code\u003e action, permanently deleting a repository, leading to code loss and potential service disruption.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The deletion of critical resources disrupts development workflows, causes data loss, and potentially compromises the software development lifecycle.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of these actions can lead to significant disruption of software development workflows, data loss, and potential compromise of the software supply chain. The number of affected resources and the severity of the impact depend on the scope of the attacker\u0026rsquo;s access and the criticality of the deleted resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub audit log streaming to capture the necessary events for detection (reference: logsource definition).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u003ccode\u003ecodespaces.destroy\u003c/code\u003e, \u003ccode\u003eenvironment.delete\u003c/code\u003e, \u003ccode\u003eproject.delete\u003c/code\u003e, and \u003ccode\u003erepo.destroy\u003c/code\u003e actions in the GitHub audit logs, and tune for your environment (reference: rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine the legitimacy of the deletion activity and the actor involved (reference: rules, falsepositives).\u003c/li\u003e\n\u003cli\u003eValidate the \u0026ldquo;actor\u0026rdquo; field in the audit logs to ensure the deletion activity is performed by an authorized user (reference: falsepositives).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T10:00:00Z","date_published":"2026-04-28T10:00:00Z","id":"/briefs/2026-04-github-delete-action/","summary":"This brief focuses on detecting deletion actions within GitHub audit logs, specifically targeting the deletion of codespaces, environments, projects, and repositories, potentially indicating malicious activity or insider threats.","title":"Detection of Github Delete Actions in Audit Logs","url":"https://feed.craftedsignal.io/briefs/2026-04-github-delete-action/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["interfaces"],"_cs_severities":["high"],"_cs_tags":["sql-injection","data-loss","appsmith"],"_cs_type":"advisory","_cs_vendors":["Appsmith"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in Appsmith\u0026rsquo;s \u003ccode\u003eFilterDataServiceCE.java\u003c/code\u003e, specifically within the \u003ccode\u003edropTable\u003c/code\u003e method. This flaw affects Appsmith server instances running versions 1.98 and earlier of the \u003ccode\u003einterfaces\u003c/code\u003e package. The vulnerability stems from the direct concatenation of user-supplied table names into a SQL \u003ccode\u003eDROP TABLE\u003c/code\u003e statement without proper sanitization or validation. If an attacker can control the \u003ccode\u003etableName\u003c/code\u003e argument, they can inject arbitrary SQL commands, potentially leading to unauthorized data manipulation, exfiltration, or data loss. This is particularly concerning in scenarios where the \u003ccode\u003edropTable\u003c/code\u003e function is exposed through an API or utility accessible to users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Appsmith instance running a vulnerable version (\u0026lt;= 1.98) of the \u003ccode\u003einterfaces\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers an endpoint or API that utilizes the \u003ccode\u003eFilterDataServiceCE.java\u003c/code\u003e\u0026rsquo;s \u003ccode\u003edropTable\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003etableName\u003c/code\u003e input containing SQL injection payload. Example: \u003ccode\u003evalid_table; DROP TABLE users; --\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious input is passed to the \u003ccode\u003edropTable\u003c/code\u003e method within \u003ccode\u003eFilterDataServiceCE.java\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edropTable\u003c/code\u003e method concatenates the unsanitized input into a SQL \u003ccode\u003eDROP TABLE\u003c/code\u003e statement.\u003c/li\u003e\n\u003cli\u003eThe resulting SQL query, containing the injected commands, is executed against the database via the \u003ccode\u003eexecuteDbQuery\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe injected SQL commands are executed, potentially dropping tables, modifying data, or exfiltrating sensitive information, depending on the attacker\u0026rsquo;s payload and the database user\u0026rsquo;s permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data loss through arbitrary table deletion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can have severe consequences. The primary impact is data loss, as attackers can arbitrarily drop tables within the database. Depending on the database user\u0026rsquo;s privileges, attackers may also be able to exfiltrate sensitive data or modify existing data. The vulnerability affects Appsmith server instances. The number of affected instances is currently unknown. However, the potential impact includes unauthorized access to and manipulation of sensitive data, impacting the confidentiality, integrity, and availability of the Appsmith application and its underlying database.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Appsmith \u003ccode\u003einterfaces\u003c/code\u003e package to a version greater than 1.98 to patch the SQL injection vulnerability in \u003ccode\u003eFilterDataServiceCE.java\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on any endpoints or APIs that utilize the \u003ccode\u003edropTable\u003c/code\u003e method to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to exploit this SQL injection vulnerability by monitoring for suspicious table names in logs associated with database operations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-appsmith-sql-injection/","summary":"A SQL injection vulnerability exists in Appsmith's FilterDataServiceCE.java in versions 1.98 and earlier where the dropTable method constructs a SQL DROP TABLE statement using string concatenation with the table name, allowing arbitrary SQL command execution, leading to potential data loss, exfiltration, or modification.","title":"Appsmith SQL Injection Vulnerability in FilterDataService","url":"https://feed.craftedsignal.io/briefs/2024-01-appsmith-sql-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["phpVMS"],"_cs_severities":["critical"],"_cs_tags":["authorization-bypass","data-loss","phpvms"],"_cs_type":"advisory","_cs_vendors":["phpvms"],"content_html":"\u003cp\u003eA critical vulnerability has been identified in phpVMS 7.x, specifically affecting versions up to 7.0.5. This vulnerability stems from a deprecated legacy import feature that, despite its intended obsolescence, remained partially accessible without authentication. A remote, unauthenticated attacker could exploit this flaw to interact with internal processes responsible for data manipulation within the application. The vulnerability was addressed in phpVMS version 7.0.6, which removes public access to the vulnerable feature, highlighting the importance of prompt patching to mitigate the risk of unauthorized data modification or deletion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the \u003ccode\u003e/importer\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly validate the request, granting access to the legacy import feature.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the exposed import functionality to initiate a data manipulation process.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-initiated process without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe import process modifies or deletes data within the application\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to maximize data corruption or deletion.\u003c/li\u003e\n\u003cli\u003eThe application becomes unstable or unusable due to the corrupted database.\u003c/li\u003e\n\u003cli\u003eService disruption occurs, impacting all users of the phpVMS system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of this vulnerability in phpVMS can lead to significant data loss and service disruption. An attacker can remotely trigger the modification or deletion of critical application data without any authentication. This can result in a complete loss of data integrity, rendering the application unusable. The specific number of potential victims is dependent on the number of phpVMS instances running vulnerable versions (\u0026lt;= 7.0.5). Successful exploitation can lead to extended downtime and significant recovery efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to phpVMS version 7.0.6 or later to remediate \u003cstrong\u003eCVE-2026-42569\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, follow the instructions provided in the release notes for version 7.0.6 to disable the vulnerable \u003ccode\u003e/importer\u003c/code\u003e routes.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to monitor for suspicious requests to the \u003ccode\u003e/importer\u003c/code\u003e endpoint, indicative of attempted exploitation.\u003c/li\u003e\n\u003cli\u003eEnable web server access logging and review logs for unauthorized access attempts to the \u003ccode\u003e/importer\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-phpvms-auth-bypass/","summary":"A critical vulnerability exists in phpVMS 7.x versions up to 7.0.5, allowing unauthenticated access to a legacy import feature, enabling a remote attacker to trigger internal processes that can modify or delete application data, potentially leading to data loss and service disruption.","title":"phpVMS Unauthenticated Access to Legacy Import Feature","url":"https://feed.craftedsignal.io/briefs/2024-01-phpvms-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Data-Loss","version":"https://jsonfeed.org/version/1.1"}